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(54) Electronic access control system and method 



(57) Disclosed is a new and flexible approach for 
managing physical security in an electronic lock-and- 
key system. The novel approach does away with cabling 
or other direct connecting between locks (2) and a sys- 
tem management center (1). The (physical) keys (3) 



serve to disseminate access control and other informa- 
tion within the system in a snowball-like way, using an 
adapted, but simple networking protocol. Whenever ap- 
proplate, cryptographic schemes are applied to protect 
the system. . 
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Description 
Technical Field 

5 [0001] This invention relates to an electronic lock-and-key access control system and discloses a novel and very 
fiexible approach for managing the physical security o1 such a system. Such systems are extensively used in industry, 
in the hotel business, in banks, and in other environments where it is desirable to control or restrict access to rooms 
or equipment. Many of these systems are using cards, sometimes even smartcards with built-in processing power. 
Such cards are generally magnetically or in other ways readable by a reader associated with each lock. To enable or 

10 block the use of certain keys, to restrict the access timely, or to change the security system in any other way. access 
information or messages have to be transmitted to - and sometimes from - the locks. This Is often done via a cabling 
system connecting the locks to a central security management device, but other transmission means are also used. 
However, the more or less direct connection between management device and locks Is characteristic for prior art 
approaches. 

IS 

Background 

[0002] Each and every one of us relies daily on keys to gain access to our cars, homes, and offices, to snap open 
the lock on our bicycles, or unlatch our postal boxes. Hence, keys are undeniably an integral part of modem society 

20 Today, most of these keys are still of the mechanical type, as are the associated locks. 

[0003] Although widely spread, these traditional, mechanical keys suffer from a number of shortcomings. First, in 
case of security breach, such as loss of a key, unauthorized duplication, or deprecation of trust assumptions, the lock 
must be replaced. Second, a key is valid as long as the corresponding lock remains in place. For example, once an 
access right is given to an individual by handing himTher a key. that right cannot be revoked unless the key is returned 

2S or the lock changed. As a consequence of these limitations, traditional lock-and-key systems do not allow to institute 
a time-based access policy, for example allowing access during office hours only, or protecting certain areas during 
certain times of the day. In the many environments where such requirements exist, traditional lock-and-key systems 
are no more sufficient. 

[0004] Clearly, traditional keys offer only inflexible and rather limited management possibilities, but they are widely 
30 available, very reliable, and reasonably cheap. Still, replacement solutions with higher flexibility and extensive man- 
agement possibilities have been invented and found their way to the market. For example in hotels and enterprises, 
electronic locks and appropriate electronic keys are widely used, providing very flexible and rather quick management 
of access rights. 

[OOOS] An example of a system using smartcards of different kinds is shown in Lee US Patent 5 204 663 to Applied 
3S Systems Institute, Inc., which discloses an access control system with integrated-circuit cards, i.e. smartcards, some 
of which have a memory to store key access information and so-called transaction information. Whereas the key access 
information here relates to the immediate use of the key, e.g. the present access code of the card, relates the transaction 
information to other activity, e.g. a log of previous use of the lock as it is recorded in the lock's memory, specific new 
access codes to be uploaded into specific locks, or a log of failed entry attempts of the card user. Some of this transaction 
40 information is transferred from the lock into the card's memory, some from the card into the lock, and some just stored 
on the card for later readout. 

[0006] One example of a lock which may be used in such an environment is the SaFixx smartlock, described in the 
Internet on http://acola.com, a lock made by ACOLA GmbH in Villingen-Schwenningen, Germany. The Safixx smartlock 
even exhibits some specific properties (discussed below) that may make it quite useful in connection with the present 
45 invention. 

[0007] Other examples can be found in the literature. All of them have one disadvantage. They require a kind of 
"direct" access to each and every electronic lock in the system, be it that the locks are connected by a cabling or radio 
network to a management center, or that one has to walk up to each lock and "reprogram" it manually or electronically, 
as with the Safixx smartlock mentioned above or as with the system disclosed in the above-cited Lee US Patent 5 204 
so 663. Either of these methods is burdensome: A network of cables to all locks in a hotel or an plant will usually cost 
more than the electronic locks themselves, a radio transmission system requires a transceiver and power in each and 
every lock and may thus be even more expensive (and failure-prone) than a cabling network, and walking to each and 
every lock may be simply impossible in a reasonable time frame. 

[0008] Here, the invention intends to provide solutions. To summarize, it is an object of the present invention to avoid 
ss the above-described disadvantages and devise a reliable and flexible electronic lock-and-key system which has no 
need for "direct" (in the above sense) connections between locks and an associated management center controlling 
security within the system. 

[0009] Another object is to simplify expansion of a given system when installing additional locks or other access or 
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security devices, or to facilitate changes within a given system by installing new locks and/or exchanging existing ones. 
[0010] A further object is to devise an architecture that allows a practically unlimited flexibility with regard to protocol 
changes or security updates between management center and locks. Such updates are necessary after a "successful" 
attack, or after card keys have been lost or stolen, or when security aspects of the system are changed, e.g. certain 
physical areas in a plant or lab become "restricted access" areas. 

[001 1] A specific object is to devise an architecture which allows an "on-the-fly" expansion of such a system. 



The Invention 



[001 2] In essence, the novel approach according to the invention concentrates on using means, especially hardware, 
already existing In a usual electronic lock-and-key system. Access control and other information which need to be 
updated or changed is disseminated through existing smartcard or similar keys and the existing locks without any need 
for a connection between the latter and a central or distributed management center controlling this information. For 
this, a suitably adapted networking protocol is being used and, wherever appropriate, cryptography to protect the 
IS system against possible attacks. 

[0013] In the following, the primary innovation, namely the propagation of access control information in cable-free 
environments, is discussed in more detail. It is also described how cost effective and easily manageable electronic 
locks can be generally implemented. Thereafter, attacks and implied security assumptions of such a system are dis- 
cussed. 

[0014] Contrary to most current electronic security systems, the system disclosed in this document does not require 
fixed network connectivfty of any kind, be ft wire-based or radio-based. Consequently, cost associated with cabling or 
radio transmission equipment is eliminated. Experience shows that this cost can be an order of magnitude higher than 
the cost of the locks themselves. It should be mentioned here that in this document the term "key" does not designate 
the traditional metallic key but rather any arbitrary carrier of infomriation, e.g. smartcards or IBM's JavaCard. Similarly, 
the term "lock" will usually designate an electronic lock. 

[0015] Instead of the locks receiving electrical power via a fixed cable, the required energy to operate the lock can 
be delivered either through the user's key or through an battery embedded in the lock or door. Clearly, in such a 
construction, power consumption must be kept to a strict minimum so that batteries last at least a few years! Electronic 
locks exhibiting the desired physical properties such as tamper resistance, operational reliability and long battery life, 
already exist on the market. The above mentioned SaFixx smartlock is an example of a lock exhibiting these properties! 
The present invention emphasizes the logical aspects of cable-free lock constructions, not so much the physical design. 

Description of an Embodiment 



[0016] In the following, the invention will be described in more detail in connection with a drawing which shows a 
block diagram of a typical access control system according to the invention, in particular the principle of message or 
information propagation in such a system. 

[0017] As shown in the Figure, a Door Domain Access Manager {OD AM) 1 is the entity holding authority over an 
ensemble of locks 2. For the sake of simplicity, only some of them carry reference numbers 2a. 2b, etc. DDAM 1 plus 
40 the set of bcks 2 constitute an administrative domain 4. It is assumed that DDAM 1 is composed of a single entity, as 
shown. This restriction may be removed by applying threshold signatures as described by Douglas R. Stinson in "Cryp- 
tography - Theory and Practice", CRC Press, 1996. and some more or less straightf onward extensions to the commu- 
nication protocol presented in this document. 

[0018] Also shown is a plurality of keys 3. of which just a few have reference numbers 3a, 3b. etc.. again to keep 
45 the drawing clean. 

[0019] Each lock 2, usually associated with a door, as mentioned above, has a key (or card) reader of conventional 
type and a memory. The memory is organized to store two different sets of data or information, one first set consisting 
of one or more tokens (the number depends on the overall organization of the lock-and-key system), the second set 
comprising a message of so-called designated data, I.e. data designated forother keys or locks. The latter Is a transient 
message which is only held for some time in the lock's transient memory part. 

[0020] The keys 3 are of a very similar design as far as their memory is concerned. Their memory is also able to 
store two different sets of data or information. One first set consists again of one or more tokens (the number depending 
on the overall design of the lock-and-key system) and may be called a "key-activating" set. The second set consists 
again of a message of designated data, i.e. a transient message designated for other keys or locks, which message 
IS held only for some time in the key's transient memory part. Simply said is this latter part of the key's memory the 
information transport path within the whole system. 

[0021] Looking at the Figure, one recognizes that, using the keys as transport means for the designated data, there 
IS usually a plurality of ways to each lock and key. A rather simple example shall clarify this. 
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[0022] Assume ODAM 1 issues a message for lock 2e (at the bottom), e.g. that a certain key, say key 3d, is not 
allowed to enter the room behind the door of lock 2e. This message designated for !ock 2e is "entered" Into the network 

via line 5, which latter may be a cable connection, any mobile data carrier, a wireless connection of any kind, etc. As 
soon as lock 2a has received the message, each and every key used at this lock 2a receives and stores in its transient 
5 memory part a copy of said message. Key 3a will transport it to lock 2b. key 3b will read and store it, transporting it to 
lock 2c (and others), from there, the set will travel via key 3c, lock 2d, key 3d and/or keys 3e to its designation, lock 
2e. Note that even key 3d, who would be negatively affected by the transported message, may convey it to the desig- 
nated lock 2e. 

[0023] As soon as lock 2e receives the designated message, it issues an acknowledgement which now travels back 

10 through the system in the same fashion as the original message until it reaches DDAM 1, which closes the loop. The 
acknowledgement, since it recognizably refers to the message, erases the still stored (original) message in the both 
the keys and the locks through which it travels. Again, this is the overall function of the electronic lock system according 
to the invention In great simplification; details will be apparent from the subsequent description, which also addresses 
the theory behind some solutions. 

IS [0024] As mentioned above, a user is granted access through a lock 2 (or door, which terms are used interchangeably 
in this document) only if his/her key exhibits an appropriate token issued by the DDAM. All tokens are minted with an 
expiration date. The DDAM may choose to revoke the access rights of any user at any time. 
[0025] Keys are built so that they may hold multiple tokens as well as other types of data. Whether tokens are based 
on public key cryptography, shared secrets or some other type of security primitive is irrelevant at this stage. 

20 [0026] In addition to storage capacity, doors may have computational capabilities allowing them to process tokens 
issued by the DDAM. The relation between DDAM and doors/locks 2 is that of master and slave. It is the DDAM's 
reserved prerogative to determine who may traverse which door and until what time and date. Consequently, the doors 
within an administrative domain 4 must completely trust the DDAM and blindly obey its orders. However, doors do not 
honor orders given by a DDAM outside their domain. There is no direct cabling linking the doors among themselves 

2S nor with the DDAM required. This mandates the alternative communication mechanism addressed above so that the 
DDAM and the locks can still exchange information. But note that the possibility of doors exchanging messages with 
one another is not necessarily precluded; also, there may be single selective "direct" connections between the DDAM 
and one or more selected locks. 

30 Suitability Considerations 

[0027] As users are required to present a valid token to access a door (by constructbn), the dissemination of positive 
access rights is not an issue. The DDAM can pass a token to a given user through a (secure) terminal or the token 
can simply be dropped at a door, e.g. lock 2a, until the user unwittingly picks it up. Renewing tokens that are about to 
3S expire can be accomplished in a similar fashion. 

[0028] On the other hand, how can one ensure that a negative token (i.e. access revocation) reaches the relevant 
lock without excessive delay? 

[0029] The solution for this problem is particularly appropriate in cases where all users happen to go through certain 
central doors, such as a building entrance, an elevator, or garage barriers. In another favorable scenario which is typical 
40 of business environments, rapid propagation of information is guaranteed by workers who arrive at work in the morning 
or by the maintenance/security personnel who frequently go through many doors. Looking at the Figure, door/lock 2a 
may be particularly suitable for that purpose. 

[0030] As shall be explained later, if control information does not reach the destination node, i.e. the destined lock 
2, the source, usually the DDAM, will not receive an acknowledgment. The DDAM can thus detect failure. It follows 
4S that In case there is no privileged central door and the target door is infrequently visited, the operator of the DDAM is 
alerted and he/she can always walk to the door in question. Critical doors requiring immediate infomiation propagation 
could also be connected to the DDAM with a dedicated cable or by other "direct" means. 

Network Model 

so 

[0031] As explained, to make certain that information is propagated in a timely fashion, user's physical keys 3 carry 
messages to and from between locks 2 and DDAM 1 . Moreover, locks 2 act as a temporary repositories for messages 
designated for other locks. Doors and/or tocks are modeled as nodes in a network and users as channels linking these 
nodes. For example, a temporary channel between lock 2a and lock 2b is established when a user travels through 
55 them, using key 3a. To improve connectivity, intermediary locks and user keys must act as repositories. As explained 
above, a user Alice may pick up a message from door 2a and leave it at door 2b. Then, user Bob with key 3e happens 
to go through door 2a and carries the message to its final destination, say door 2e. 

[0032] More generally, both keys and doors contain a snapshot view of all current pending traffic, that is. all sent but 
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not yet acknowledged packets. This, for any destination within the administrative domain. When a key is inserted in a 
door, both key and door/lock update their respective view of the network. Naturally, this update need not be interactive 

as it can be efficiently performed off-line. This way the user shall not be delayed waiting for the key and the lock to 
synchronize when going through a door. Off-line updates mandate that each entity possesses its own power source. 

5 

77?© Networking Protocol 

[0033] The well-known TCP/IP protocol, as described by W. Richard Stevens in "TCP/IP Illustrated', Vol. I, Addison 
Wesley, 1994, sen/es as a basis and is simplified and somewhat optimized for the novel application. In an abstract 
10 sense, the problem can be stated as the building of a transmission control protocol (e.g. TCP) on top of a high-loss, 
varying-topology LAN. 

[0034] First, it is assumed that each node of the network, that is a key, a door/lock or the DDAM, can be addressed 
individually. Hereafter, the term node may refer to a door/lock, a key, or the DDAM. This can be accomplished by using 
the addressing scheme of any networking layer protocol, in particular the Internet Protocol, as described by J. Postel: 

IS "Internet Protocol' in the publication of the Internet Engineering Task Force, September 1 981 , RFC 791 . 

[0035] As mentioned earlier, each node is responsible for propagating messages or packets, even if it is not the 
intended recipient, until the packet is acknowledged, at whk:h time the packet is erased from the node's memory. 
[0036] Like in TCP. described by J. Postel: "Transmission Control Protocol" in Intemet Engineering Task Force, Sep- 
tember 1981. RFC 793, each packet requiring acknowledgment is sent with a monotonlcally increasing sequence 

20 number. TCP deals with packet fragmentation caused by the IP layer in the present homogeneous setting, packets 
are not liable to be fragmented. Hence the sequence numbers correspond to packets and not the number of bytes 
sent. This is unlike TCP. but has the advantage of being both simpler and more space efficient. 
[0037] Once a message is received, the recipient issues an acknowledgment which is sent back to the sender, 
acknowledging the received packet. This acknowledgment consists of the usual addressing infomnation and at least 

25 two other fields: a cumulative sequence number, denoted n, and a bit field of w bits length. 

[0038] The actual value of n indicates that packets bearing a lower sequence number (inclusive) have been correctly 
received without gaps. The bit field provides infomnation on out-of-order packets. The bit field loosely corresponds to 
the so-called "sliding window" of TCP. ' 

[0039] As in TCP. packets outside of the sliding window, that is packets bearing a sequence number outside the 
30 range m-l to n+w, are dropped. However, if an incoming packet completes to a sequence with no gaps, then n is 
incremented and an acknowledgment sent back to the source. Each packet received out of order but within the sliding 
window is tallied by turning on a corresponding bit In the bit field. 

[0040] Thus, after the acknowledgment propagates back the sender of the packet, the source can selectively re- 
transmit packets that have been lost. Packets that have correctly arrived, albeit out of order, need not be retransmitted. 
35 Also, packets that have been selectively acknowledged are dropped by Intermediary nodes regardless of whether the 
source has received the acknowledgment or not, thus preserving precious memory space at each intermediary node. 
[0041] It is important to note that acknowledgments presented here have an absolute ordering much like cumulative 
acknowledgments. Thus, they may be compared with one another. Consequently, only the newest acknowledgment 
need to be stored by the intermediate nodes as the newest acknowledgment overrides all previous ones. 

40 

Window Size 

[0042] It is reasonable to assume that in most cases the frequency of revocation messages sent to a specific door 
or lock Is low. Thus, very small window sizes (say 2) may amply suffice to satisfy the needs of even large organizations. 
45 [0043] However, for exceptional cases, the window size can be increased at will. This can be accomplished by the 
DDAM sending out a broadcast message instructing all doors to adjust the window size for a given source/destination 
pair. Broadcast messages bear a fixed destination address recognized by all. 

Clockirrg informatior) 

so 

[0044] The DDAM could keep time on behalf of all other entities in the administrative domain. The DDAM sends 
timing updates as frequently as it can (i.e. each time it has contact with a user or door). As with acknowledgments, 
only the latest clock information need be stored by intermediate nodes, again saving precious memory space. In this 
way, there is no need for doors to have individual clocks. 

55 

Cryptographic Aspects 

[0045] The cryptographic representation of a token can have overreaching effects on security management. The 
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security implications of a secret key based architecture shall first be discussed. Next, the implications of a public key 
architecture are described. 

Shared Secret 

s 

[0046] Tokens can be based on a shared secret between the DDAM and the locks. Let us assume the DDAM and 
lock ij share the secret S|. To grant user t/j access through /j, the DDAM would authenticate the access string a^, where 

a„ = "Let u. through L until 1/1/2001". (1) 

[0047] The authentication could be based on any secure keyed message authentication function, such as HMAC as 
described by R. Canetti at al in "HMAC: Keyed-Hashing for Message Authentication". Engineering Task Force, February 
1997, RFC 2104. We have 

IS 

f.j = HMAC(s., ajj)||aij , 

were i-j is the access token and || denotes string concatenation. Note that tokens could have other representations 
20 based on different types of authentication. User t/j would be granted access through { by presenting the token until 
1 January 2001. 

[0048] As in any digital representation of information, a token may be easily duplicated. In the shared secret setting, 
if a token can be 'seen'* by a rogue lock or any other unauthorized party, then the token has been effectively stolen. 
Indeed, the attacker could present the stolen token to the corresponding lock and obtain illegitimate access. 
25 [0049] To mitigate the menace, security must be augmented by other means. For example, one may impose a uni- 
versally unique serial number to be burned Into each physical key, I.e. smartcard or the like, and Issue tokens for a 
particular serial number This may provide enough security to repel unsophisticated attackers. However, a determined 
adversary may print his/her own physical key with fake serial numbers. 

[0050] For high security applications, it is crucial that the physical key allows only selective access to information. 
30 As a physical key is inserted in a lock, it should be able to verify whether the user has a specific token allowing passage 
through that lock. However, the particular lock should not be able to read tokens (on the key) relevant to other locks, 
possibly In other administrative domains. But even if a physical key allows selective access to Information, \ock ^ can 
pretend to be lock 1^ and steal the token (for 

[0051] The token duplication attack constitutes a severe threat, particularly if electronic locks become truly ubiquitous. 
55 Universal deployment means that physical keys will be used in mutually untrusting domains. 

[0052] One can protect against this attack by requiring the lock to identify itself to the physical key; only then will the 
key reveal the token for the Identified lock. 

[0053] If this identification is based on a shared secret between the doors and the users, the number of shared 
secrets will explode for even medium sized organizations because each lock will have to share a secret with each user 

^0 that goes through it. Thus, lock-user shared secrets may be suitable for small settings only 

[0054] Alternatively, a KryptoKnight type third party authentication technique may be used as described by R Janson 
et al "Scalability and flexibilrty in authentication sen^ices: The KryptoKnight Approach" In IEEE INFOCOM '97. Tokyo, 
Japan, April 1 997, and R. Bird et al "The KryptoKnight family of light-weight protocols for authentication and key dis- 
tribution" in IEEE Transactions on Networking, 1995. Also, a Kerberos type third party authentication techniques could 

^5 be employed, described by J. Kohl et al. "The Kerberos Network Authentication Service", V5, Internet Engineering 
Task Force. September 1993, RFC 1510 and by B. Clifford Neuman et al in 'Kerberos: An authentication service for 
computer networks". IEEE Communications Magazine, 32(9): pp.33-38, September 1 994. In such a scheme, all users 
and locks would share a secret with the DDAM. Since the DDAM shares a secret with all nodes, it can convince any 
node of the identity of another. 

5^ [0055] Let Sj represent the long term secret that user Uj shares with the DDAM, and S| the secret that lock f■^ shares 
with the DDAM. The DDAM would randomly choose an encryption key k. The access string would become: 

="Let through /j user knowing until 1/1/2001" (2) 

55 

[0056] The DDAM would issue the ticket 7]| defined as 
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Tjj = {HMAC(s.. a..)|| a^ls^ || {k)Sj (3) 

where {m)x denotes symmetric encryption of message m using encryption key x and ay is given by equation (2). 
5 [0057] User u- would strip the encryptbn {kjSj from the ticket T^ to retrieve the token ^, It would then obtain /r from 
{k}Sj by decrypting it with its long term shared encryption key with the DDAM, that is Sj. 

[0058] To pass tough door /j, the user would present fq. The lock ij would retrieve the encryption key /c contained in 
ajj by decrypting f|j with its long term shared secret key Sj. The door would then challenge the user for the knowledge 
of encryption key k. If the response checks with the issued challenge, then the user would be granted access. 
10 [0059] Note that the DDAM has to precompute Tij for given message ajj and given nodes U[ and ij. Remember that 
there is no direct channel (a connecting cable or the like) to the DDAM. Consequently, the Kerberos setting is unsuitable 
for situations where either the message being authenticated, or the intervening parties, are not known in advance. This 
is an important limitation if the application requires that disruption attacks be thwarted. 

[0060] The verbosity of the access string ajj should indicate to the reader that the protocol just described is not 
optimized, but is essentially intended for illustration purposes. 

Public Key Setting 

[0061] An alternative setting would have the DDAM and all users within the domain hold a public/secret key pair. 
Each lock within an administrative domain would be installed with the DDAM's public key The DDAM would then certify 
the public keys of ail users within its administrative domain. 

[0062] The access token for user Uj through lock ^ would be the DDAM's signature on the message ajj, as defined 
in equation (1). Whenever a user wishes to cross a door, it would present the token to the lock, which would verify 
DDAM's signature. To prevent impersonation, the door would require the user to prove knowledge of the secret key 

25 corresponding to the user's (DDAM certified) public key 

[0063] This proof can be based on any challenge response type protocol, such as described by 10 by C. P. Schnorr 
in "Efficient signature generation by smart cards', Journal of Cryptology, 4(3): pp. 1 61 -1 74, 1 991 , or by Uriel Feige et 
al in "Zero-knowledge proofs of identity", Journal of Cryptology: the journal of the International Association for Cryp- 
tologic Research, 1(2): pp. 77-94, 1988, or by Jean-Jacques Quisquater and Louis Guillou in "A practical zero-knowl- 

^0 edge protocol fitted to security microprocessor minimizing both transmission and memory" in Christoph G. Gunther, 
editor, Advances in Cryptology— EUROCRYPT88, Volume 330 of Lecture Notes in Computer Science, pp. 123 -128, 
Springer-Verlag. May 1988. 

[0064] The solution just presented separates the user's credentials from his/her public key Thus, Alice's credentials 
may be transported to the relevant door without Alice having to intervene. To benefit from new credentials, Alice just 
^5 has to prove her identity Alice does not have to obtain a new secret from the DDAM nor change her public key The 
new credentials are transparent to Alice. On the other hand, if one had tied each of Alice's credentials to a corresponding 
secret held by Alice, then Alice would have to communicate to the DDAM on a secure channel each time her credentials 
changed. 

[0065] For example, in the Quisquater-Guillou (above) protocol, the DDAM would send Alice her new credentials, 
denoted by the string J, and a corresponding secret B, such that 



Jd' = 1 mod n (4) 

where n is a public modulus and v is a public exponent. Let cp denote Euler's cp function. Only the DDAM knows the 
inverse of vmod (p(/7), and hence can efficiently compute B, verifying equation (4). 

[0066] To allow the access rights granted by J, the relevant lock would challenge Alice with a random number and 
check that Alice knows the secret corresponding to J. that is S. As usual, Alice does not reveal 6 as a result of the 
challenger-response protocol. Note that the secret B has to be sent by the DDAM to Alice on a secure channel. 

False Acknowledgment Injections 

[0067] In case an attacker is able to inject an acknowledgment message bearing a high sequence number, all inter- 
mediary hops will drop packets bearing a lower sequence number. Although this disruption attack will eventually be 
detected, it will momentarily prevent all communications between the DDAM and the locks. 

[0068] In a variant attack, assuming that newer messages have higher priority, an attacker may flood locks by sending 
fake packets bearing high sequence numbers. The intermediate nodes will regard such packets as being newer and 
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drop lower sequence numbered but genuine messages. This will also disrupt communications. 
[0069] High security applicatbns. especially those slated for universal deployment, mandate that all messages, in- 
cluding acknowledgments, be authenticated. Thus, all nodes, that is all doors/locks, users and the DDAM would have 
a public key certified by the DDAM. 
s [0070] The Kerberos type shared secret setting does not allow for messages to be authenticated for two dynamically 
chosen parties. Thus disruption attacks can only be prevented in the public key setting. 

[0071] From the above discussion of the security implicatbns of shared key versus public key based architecture it 

should have become clear that, because of the key explosion problem, a shared key architecture is suitable only for 
low security applications or for small scale deployment, whereas high security applications or universal deployment 
10 both mandate public key cryptography 

[0072] it shouki also have become clear that the invented flexible architecture for managing physical security using 
electronic locks and physical keys described hereinbefore does not require a permanent channel between the locks 
and a security management center. The question of timely propagation of access control information raised by the 
missing pemnanent connection Is solved by having users act as transmission channels and locks as message repos- 
es itories. 

[0073] Those skilled in the art will be able to implement the above-described cable-less lock-and-key access control 
system as is or with various modifications and adaptations without departing from the scope and spirit of this invention. 
Other embodiments will be apparent to persons skilled in the art on the basis of the above specification and practice 
disclosed herein, the scope of the invention being indicated by the following claims. 
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Claims 



1. An access control system with a plurality of kx:ks and keys, at least part of said locks and keys having memory 
25 means, 

characterized by 

• said memory means of a key being equipped to receive and store informatbn concerning any access rights 
of said key and information designated for other keys and/or locks. 

30 • said memory means of a lock being equipped to receive and store. informatton concerning any access rights 

for said lock and information designated for other keys and/or locks, and 

• means for exchanging said information between locks and keys. 

2. The access control system according to claim 1 . wherein 

35 

• the information concerning access rights of a key includes one or more tokens and/or the information desig- 
nated for other keys and/or locks includes one or more messages for said keys and/or locks. 

3. The access control system according to any of the preceding claims, wherein 

40 

• the memory means In the key and/or the lock stores at least a partial view of the system and 

• the exchanging means triggers an update of said view. 

4. The access control system according to claims 3, wherein 

45 

• the update triggered by the exchanging means is performed off-line, particularly right after said exchanging 
means has completed its function. 

5. The access control system according to any of the preceding claims, wherein 

50 

• the information designated for other keys and/or locks includes one or more messages for said other keys 
and/or locks and is exchanged off-line between a key and a lock. 

6. The access control system according to one or more of the preceding claims, wherein 

55 

• the means for exchanging information between a lock and a key are activated when said key is engaged with 
said lock. 
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7. A key for use in an access control system according to any one of the preceding claims, wherein 

• the memory means includes a read/write section dedicated to the information designated for other keys and/ 
or locks. 

5 

8. The key according to claim 7, characterized by 

• a power source, preferably being rechargeable when said key is used with a lock. 

10 9. A lock for use in an access control system according to any one of the claims 1 to 6, wherein 

• the memory means includes a read/write section dedicated to the information designated for other keys and/ 
or locks. 

IS 10. The lock according to claim 9, characterized by 

• a power source, preferably being rechargeable when a key is used with said lock. 

11. A method for propagating information in an electronic lock-and-key system, characterized in that 

20 

• an original message to be propagated to an n-th lock or key is inserted into a memory of a first lock or a first 
lock, respectively, 

• on any use of said first key or said first lock, said original message Is copied into a memory of a second lock 
or key, respectively, but remains in said first lock's or first key's, respectively, memory, 

2S •on any subsequent use of said first and/or second key and/or said first and/or second lock, said original mes- 

sage is copied Into a memory of a next lock or key, respectively, but remains in the memories of said previously 
used locks and/or keys, respectively, 

• until said original message, propagated in the described snowball-like way, reaches its destination, i.e. sarcl 
n-th lock or key. 

30 

12. A method for propagating information in an electronic lock-and-key system, characterized in that 

• an original message to be propagated to an n-th lock or key is stored in a memory of a first lock, 

• when a first key is used with said first lock, said original message is copied into said first key's memory, but 
3S remains in said first lock's memory, 

• when said first key is used with a second lock, said original message copied into said second lock's memory, 
but remains in said first key's memory, 

• when a second key is used with said second lock, said original message is copied into said second key's 
memory, but remains in said second lock's memory, 

40 • until said original message, propagated in the described way, reaches its destination, i.e. said n-th lock or key. 

13. The method for propagating information according to claim 11 or claim 12, further characterized in that 

• the n-th lock or key produces a confirmation message acknowledging reception of said original message which 
45 confirmation message senses to control erasing of the copies of the original message in the memories of the 

locks and keys. 

14. The method for propagating information according to claim 13, further characterized in that 

so • the confirmation message is propagated through the system In the same way as the original message, 

• said confirmation message, when received by a lock or key whose memory still contains a copy of said original 
message, acts on, in particular serves to erase said original message. 

15. The method for propagating information according to any of the claims 11 to 14, further characterized In that 

55 

• after a selective or universal time-out, copies of said original message are selectively or universally erased. 

16. The method for propagating information according to any of the claims 11 to 15, wherein 
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• original messages and/or confirmation messages, especially those concerning the same lock or key, are or* 
dered, in particular sequentially numbered. 

17. The method for propagating information according to claim 16. further characterized in that 

• any message of tower order, in particular with a lower sequence number, Is erased in the respective memory 
when a message of higher order, in particular with a higher sequence number, Is received by a lock or key 
during propagation. 

18. The method for propagating Information according to any of the preceding method claims 11 to 17, wherein 

• original messages and/or confirmation messages are fully or partly encrypted, in particular using a shared key 
encryption scheme and/or a public key encryption scheme. 
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Figure 
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